diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-04-18 18:06:54 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2013-04-30 11:05:39 -0400 |
commit | ddd8988f1cd2c5ecafb476a6efca15e906cb84df (patch) | |
tree | 3994509cc53d83effbfb54049895ef41b8fc1231 /freeipa.spec.in | |
parent | 5d6a9d3befb5434dd7b2d1bbafd76050f22743a2 (diff) | |
download | freeipa.git-ddd8988f1cd2c5ecafb476a6efca15e906cb84df.tar.gz freeipa.git-ddd8988f1cd2c5ecafb476a6efca15e906cb84df.tar.xz freeipa.git-ddd8988f1cd2c5ecafb476a6efca15e906cb84df.zip |
Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.
https://fedorahosted.org/freeipa/ticket/3571
Diffstat (limited to 'freeipa.spec.in')
-rw-r--r-- | freeipa.spec.in | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index fc1c6abd..a10d80e1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -570,6 +570,42 @@ if [ $1 -gt 1 ] ; then fi fi +%triggerin -n freeipa-client -- openssh-server +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if egrep -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + /sbin/restorecon /etc/ssh/sshd_config + chmod 600 /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi +fi + %if ! %{ONLY_CLIENT} %files server -f server-python.list %defattr(-,root,root,-) @@ -799,6 +835,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue Apr 30 2013 Jan Cholasta <jcholast@redhat.com> - 3.1.99-8 +- Add triggerin scriptlet to update sshd_config on openssh-server update + * Thu Apr 25 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.99-7 - Update nss and nss-tools dependency to fix certutil problem (#872761) |